CVE-2019-12548

Bludit before 3.9.0 allows remote code execution for an authenticated user by uploading a php file while changing the logo through /admin/ajax/upload-logo.
Source: NIST
CVE-2019-12548